Our recent cybersecurity report found that CISOs are constantly chasing the next technology solution and struggling to ensure they have enough people with the right expertise to manage the load. Chief Product Officer, Jake Holloway, considers how to strike the right balance to tackle cybersecurity risk management head on.
Escalating cyber-attacks and rapid technological innovation leave companies stretched thin, trying to defend themselves against threats using existing technology, while simultaneously having to understand and secure new tools and services.
New tools can help, but they need to be deployed as part of a robust strategy, and reinforced with considered and deeply embedded processes and policies if they are to have a notable effect.
Another struggle, according to 31 per cent of survey respondents, is the skills gap – because without enough people with the right expertise to manage the load, security teams are overwhelmed, struggle to process alerts and sometimes miss crucial ones.
The skills gap could be partially addressed by organisations putting more resources into training and upskilling their people. However, this is hard to do when the cybersecurity team has no spare capacity.
What can be done?
Key technology trends
The answer to growing risk could be found in new technology trends. Of the technology trends CISOs expected to become a priority in the next 12 months, the most cited was the transition to the cloud and cloud cybersecurity (41 per cent), followed by Cybersecurity Mesh Architecture (CSMA) (35 per cent) and growth in artificial intelligence and machine learning (31 per cent). There is no single technology silver bullet, however.
One CISO clarified: in some regulated sectors, we have to keep at least a portion of our data on-premises. The regulators are catching up and realising that cloud services can sometimes be more secure.
Moving to the cloud undoubtedly brings new risks, not least of which is the growth of shadow IT. CISOs we interviewed said that employees are often tempted to download a cloud app on a personal device so they can access their work data, not realising that this increases risk for the whole organisation. When many employees are tempted to do this, the risk can be significant. Another cloud issue highlighted was the fact that it can be difficult to know precisely where your business-critical data is once you move to the cloud.
Balancing skills and tools
But we also need the right people to make all this happen. The skills gap is real, but it is important to understand that skills shortages can be addressed by new approaches. Having the internal understanding and skillsets to manage cybersecurity risk to systems, assets, data and capabilities were highlighted as a significant problem by our respondents.
Budget needs to be put into training to help raise cyber skill levels across the board and the industry must find ways to lower barriers to entry. Certain gaps can be addressed with internal training or hiring people with specific skills. School leavers could contribute to a cybersecurity team while spending the early years of their career being trained to a comparable level to degree-level candidates, for example. Furthermore, some skills – such as cybersecurity audit skills or penetration testing – are niche enough that many organisations will not require people on staff to fulfil those roles; that’s where external consultants and third-party support can frequently help.
Equally, many cybersecurity tools now employ automation to reduce the burden on cybersecurity teams by detecting and acting on security alerts without any human intervention. This means analysts don’t need to deal with false positives, but it also means legitimate threats will be dealt with more quickly
Organisations must also have a proper discussion of risk at board level. Our interviewees told us that the board is often reluctant to tolerate any level of risk, but equally reluctant to spend what it takes to manage it. Overall, CISOs need the funds and support to build a cross-business cybersecurity strategy across their organisation and its supply chain that incorporates training, processes, policies, tools and frameworks.
The time to act to get short-term issues under control and then begin planning long-term strategy is now. Every month of delay leaves businesses open to crippling cyber-attacks.
To learn more about our research findings, read the full report.
For a free 30 minute consultation about your cybersecurity needs, click here.